Note:I translated Japanese into English using Google Translate.
Thank you, Google.
Let's create a record labeled (realloc).
Create Example folder and create several files in the folder. In the following, a long file name is set to create Index Allocation of $i30.
Copy frog.jpg to be used for testing to the F:\Example folder.
Create a hard link to the frog.jpg file. Frog.jpg and sample.jpg are FILE record number 51.
Delete the folder F:\Example.
If you check $i30, you can find Frog.jpg's $FN. Interesting, FTK Imager 4.1.1.1 does not display Frog.jpg.
Check the display on Autopsy. Flags (Dir) is Unallocated, but Flags (Meta) is Allocated.
In addition, Frog.jpg is not displayed on the timeline of plaso-20180818-amd64.
Reference URL:
